Sonicwall Pro 4060 xAuth

Good Morning,

I have set up our new Sonicwall Pro 4060 and all is fine except that Global VPN users can't log in if I use xauth. If i set it for "allow unauthenticated users" then users can connect, but I need to have it working with xauth. At this point, I don't see why xauth is not working.



Please help.

Helmut K
HELMUTHKAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
0
HELMUTHKAuthor Commented:
Thanks for the info, but this does not resolve my problem.

Here is more information on setup and config:

I am logging in from Windows XP machine with sonicwall client. Also tried the login from a windows 7 system, with the latest Sonicwall Global VPN client. Same results. OK if  set it for "allow unauthenticated users", but does not accept user ID/Password when set to use  xauth on the Pro 4060.

Here is my config from the 4060:
General tab
Wan Group VPN
IKE using preshared secret

Proposals phase1
DH group = Group2
ENC = 3des
Auth = SHA1
Lifetime = 28800

Proposals phase2
Protocol = ESP
ENC = 3DES
Auth = MD5

Enable perfect forward secrecy = yes
DH group = Group2
lifetime = 28800

Advanced Tab
Management via this sa = https

when set for xauth: User Group for XAUTH = Trusted Users.
I also created a new group called Global VPN Users, added the users/mambers to this group, VPN access to LAN subnets. Wont allow user\password to connect.

When set for "allow Unauthenticated VPN client access" = LAN Subnets, connects properly.

Client Tab
Allow connections to = This Gateway Only


Thanks,

Helmut K
0
KonsultantCommented:
Hi Helmut,

Can you provide logs from GVC and from the sonicwall. You should see in the logs the reasons why the user was not authenticated. Also, for your testing it may not work when you are connected as admin from the same source IP address. So make sure that when you are testing you are not logged in as Admin at the same time.

Good luck!
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

HELMUTHKAuthor Commented:
Log from 4060:

1 03/21/2012 10:40:12.656 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
2 03/21/2012 10:40:12.656 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
3 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Reply sent        
4 03/21/2012 10:39:47.768 Info PPP PPP message: LCP Echo Request Received        
5 03/21/2012 10:39:47.768 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF9 state=9        
6 03/21/2012 10:39:26.608 Alert Intrusion Prevention Probable port scan detected 173.194.33.40, 80, X1 209.53.201.211, 49578, X1 TCP scanned port list, 58864, 31332, 28539, 16340, 53586, 32797, 47627, 42182, 6607, 49578  
7 03/21/2012 10:39:11.336 Alert Intrusion Prevention Possible port scan detected 173.194.33.40, 80, X1 209.53.201.211, 45041, X1 TCP scanned port list, 11445, 54875, 45123, 55020, 32341  
8 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Reply sent        
9 03/21/2012 10:38:47.656 Info PPP PPP message: LCP Echo Request Received        
10 03/21/2012 10:38:47.656 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF8 state=9        
11 03/21/2012 10:38:41.240 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
12 03/21/2012 10:38:41.240 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
13 03/21/2012 10:38:41.064 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
14 03/21/2012 10:38:40.816 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (HELMUTK) 209.53.201.211, 500    
15 03/21/2012 10:38:38.656 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (HELMUTK) 209.53.201.211 HELMUTK  
16 03/21/2012 10:38:38.656 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 HELMUTK, TCP Port: 0  
17 03/21/2012 10:38:38.416 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
18 03/21/2012 10:38:38.144 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
19 03/21/2012 10:38:25.304 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
20 03/21/2012 10:38:25.144 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
21 03/21/2012 10:38:24.880 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
22 03/21/2012 10:38:12.784 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
23 03/21/2012 10:38:12.784 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
24 03/21/2012 10:38:12.640 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
25 03/21/2012 10:38:12.416 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 (helmutk) 209.53.201.211, 500    
26 03/21/2012 10:38:08.064 Error VPN Client XAUTH Failed with VPN client, Authentication failure 209.53.201.213 (helmutk) 209.53.201.211 helmutk  
27 03/21/2012 10:38:08.064 Info Authenticated Access User login denied due to bad credentials 209.53.201.213, 0, X1 209.53.201.211, 0, X1 helmutk, TCP Port: 0  
28 03/21/2012 10:38:08.016 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
29 03/21/2012 10:38:07.896 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
30 03/21/2012 10:37:57.704 Info VPN IKE Received IKE SA delete request 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN  
31 03/21/2012 10:37:57.608 Info VPN IKE IKE Responder: Aggressive Mode complete (Phase 1) 209.53.201.213, 500 209.53.201.211, 500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs  
32 03/21/2012 10:37:57.608 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device      
33 03/21/2012 10:37:57.496 Info VPN IKE IKE Responder: Received Aggressive Mode request (Phase 1) 209.53.201.213, 500 209.53.201.211, 500    
34 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Reply sent        
35 03/21/2012 10:37:47.576 Info PPP PPP message: LCP Echo Request Received        
36 03/21/2012 10:37:47.576 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF7 state=9        
37 03/21/2012 10:37:44.144 Info Authenticated Access GUI administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin  
38 03/21/2012 10:37:44.144 Info Authenticated Access Configuration mode administration session ended 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
39 03/21/2012 10:37:44.144 Info Authenticated Access Administrator logged out 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 User logged out  
40 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Reply sent        
41 03/21/2012 10:36:47.464 Info PPP PPP message: LCP Echo Request Received        
42 03/21/2012 10:36:47.464 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF6 state=9        
43 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Reply sent        
44 03/21/2012 10:35:47.352 Info PPP PPP message: LCP Echo Request Received        
45 03/21/2012 10:35:47.352 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF5 state=9        
46 03/21/2012 10:34:36.592 Info Authenticated Access Configuration mode administration session started 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin at GUI from 192.168.0.213  
47 03/21/2012 10:34:36.592 Info Authenticated Access Administrator login allowed 192.168.0.213, 0, X0 (admin) 192.168.0.5, 80, X0 admin, TCP HTTP  
48 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Reply sent        
49 03/21/2012 10:33:47.176 Info PPP PPP message: LCP Echo Request Received        
50 03/21/2012 10:33:47.176 Info PPP PPP message: LCP: RX <pppoe client> <1> Echo-Request len=8 id=0xF3 state=9        


Log from laptop:

Shows "user authentication has failed"


It must be something quite simple. such as spelling or caps, etc, but I don't see it, and I have checked the configuration many times. I guess I will have to go over it all again.

Regards,

helmut K.
0
HELMUTHKAuthor Commented:
Hello All,

I resolved the problem. The user ID is case sensitivr as well as the password.

Problem Fixed.

Thanks to those who tried to help.

Helmut K.
0
KonsultantCommented:
Yes it is... It never crossed my mind that you would use different capitalization.
Good luck!

P.S. I had problem in past testing GVC from the same network as WAN interface. I am not sure if this is valid today.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.